DMS8000 NK823x Cybersecurity Guidelines

(1)

DMS8000

(2)

2 | 30 A6V11979536_en_--_b

About This Document

Purpose

These guidelines are designed to provide guidance and conditions for connecting to legacy fire and intrusion detection systems over NK823x devices to the

DMS8000 system. They describe all the permitted applications for the intended operational environment.

For security-related information for the system owner for maintaining security in the life cycle of the system, see Operation/Maintenance [➙ 17].

Scope

This document applies to NK823x and DMS8000.

Retention and Availability

NOTICE

Damage Due to Misuse

This document must be available in a usable format throughout the entire life cycle of the product. Keep the document for reference and ensure that it can be accessed by target groups.

Should you require another copy of this document, contact Customer Support Center at +49 89 9221-8000 or email [email protected].

Target Audience

System owner, according to EN 50110-1, is “nominated person with the overall responsibility to ensure the safe operation of the electrical installation by setting rules and organization or framework”. “This person can be the owner, employer, proprietor, or a delegated person.” “Some of these duties can be delegated to others as required. For large or complex electrical installations or networks, the duties can be delegated for parts of the installations or the network.”

IT security officers support companies when it comes to assessing the security of products, solutions, and services, and defining and implementing improvements. They are technical experts in all aspects of IT security.

Project Manager coordinates the deployment of all persons and resources involved in the project according to schedule, provides the information required to run the project, has obtained suitable specialist training for the function and for the products, and has attended the training courses for Project Managers.

Commissioning Personnel configure the product at the place of installation according to customer-specific requirements, check the product operability and releases the product for use by the operator, search for and correct malfunctions, have obtained suitable specialist training for the function and for the products, and have attended the training courses for commissioning personnel.

Source Language and Reference Document

● The reference version of this document is the international version in English. The international version is not localized.

(4)

About This Document Applicable Documents

4 | 30 A6V11979536_en_--_b

Applicable Documents

Title Document ID/Reference

Operation of electrical installations – Part 1: General requirements

EN 50110-1:2013

Industrial communication networks – Network and system security' 'Part 1-1: Terminology, concepts and models

IEC/TS 62443-1-1

Industrial communication networks – Network and system security' 'Part 2-1: Establishing an industrial automation and control system security program

IEC 62443-2-1

Information technology – Security techniques – Guidelines for cybersecurity

ISO/IEC 27032:2012

Information technology – Security techniques – Network security

ISO/IEC 27033 Part 1…6

Information technology – Security techniques – Application security

ISO/IEC 27034 Part 1…6

DMS8000 Cybersecurity Guidelines A6V11951062_en--_a

Download Center

To download various types of documents, such as datasheets, mounting instructions, and license texts:

1. Go to the following website:

https://www.downloads.siemens.com/dlc/Default.aspx?mandator=ic_bt&segme nt=HQ&pos=newton&language=en

2. In the Search for field, enter the document ID. 3. Click Search.

On the homepage, you will also find other criteria to search for documents and mobile applications (apps) for the various systems.

(5)

About This Document Technical Terms and Abbreviations

Technical Terms and Abbreviations

Term Description

Autotrunking Autotrunking is a function that enables one or more switch ports in a Cisco system of virtual local area networks (VLANs) to carry traffic for any or all the VLANs accessible through a particular switch. ... In Cisco's Dynamic Trunking Protocol (DTP), a port can be set to autotrunking by default (DTP auto).

BA Building Automation

BACnet BACnet is a communication protocol for Building Automation and Control (BAC) networks. BACnet was designed to allow communication of building automation and control systems for applications such as heating, ventilating, and air-conditioning control (HVAC), lighting control, access control, and fire detection systems and their associated equipment. The BACnet protocol provides mechanisms for computerized building automation devices to exchange information, regardless of the particular building service they perform.

DMZ DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network, usually a larger network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network and, if its design is effective, allows the

organization extra time to detect and address breaches before they would further penetrate the internal networks.

EOL End of life cycle.

ETH1 / ETH2 NK823x Ethernet interface 1 / NK823x Ethernet interface 2.

FEP Front End Processor is a computer that extends and distributes connectivity to field networks. The purpose is to off-load from the host computer the work of managing the peripheral devices, transmitting and receiving messages, packet assembly and disassembly, error detection, and error correction.

Firewall Firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules.

ICMP Internet Control Message Protocol.

IEC The International Electrotechnical Commission is an international standards organization that prepares and publishes International Standards for all electrical, electronic and related technologies – collectively known as

electrotechnology.

IIS Internet Information Services is an extensible web server created by Microsoft for use with the Windows NT family. IIS supports HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP and NNTP.

IPv4 Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP). It is one of the core protocols of standards-based

internetworking methods in the Internet and was the first version deployed for production in the ARPANET in 1983.

IPv4 is a connectionless protocol for use on packet-switched networks. It operates on a best effort delivery model; in that it does not guarantee delivery, nor does it assure proper sequencing or avoidance of duplicate delivery. These aspects, including data integrity, are addressed by an upper layer transport protocol, such as the Transmission Control Protocol (TCP). IPv6 Internet Protocol version 6 is the most recent version of the Internet

Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv6 was developed by the Internet Engineering Task Force (IETF) to deal with the long-anticipated problem of IPv4 address exhaustion. IPv6 is intended to replace IPv4.

(6)

About This Document

Technical Terms and Abbreviations

6 | 30 A6V11979536_en_--_b

ISA-99/IEC 62443 Security Level

ANSI/ISA 62443 is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (for example, asset owner), system integrators, security

practitioners, and control systems manufacturers responsible for manufacturing, implementing, or managing IACS.

These documents were originally referred to as ANSI/ISA-99 or ISA99 standards, as they were created by the International Society for Automation (ISA) and publicly released as American National Standards Institute (ANSI) documents. In 2010, they were renumbered to be the ANSI/ISA-62443 series. This change was intended to align the ISA and ANSI document numbering with the corresponding International Electrotechnical Commission (IEC) standards.

ISO The International Organization for Standardization is an international standard-setting body composed of representatives from various national standards organizations.

MMS Management station. In this document, it is intended as synonym of DMS8000.

NK823x NK823x is family of gateway products.

The following products can be used with DMS8000 MM8000 and MK8000 management stations:

S54461-C2-A1 NK8235.2 Ethernet Port, 2 Ser. IF S54461-C2-A2 NK8235.4 Ethernet Port, 4 Ser. IF S54461-C2-A3 NK8232.2 Ethernet Port, single subsystem The following product can be used with MM2000 management station: S54461-C5-A1 NK8231.2 CEI Interface

The following product is used as a gateway between Sinteso (or Cerberus PRO) and STT20 fire detection systems, and Modbus head-end/automation systems:

S54461-C7-A1 NK8237.2 Modbus Gateway Protection zone Physically separated, private network. A fire detection system is a

physically separated network and forms a Protection zone. Network access from outside of this zone into this zone is only allowed through a protective component at the boundary to the Protection zone.

Public key certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key[1]. The certificate includes information about the key, information about the identity of its owner (called the subject), and the

digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject.[2] In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In a typical public-key infrastructure (PKI) scheme, the certificate issuer is a

certificate authority (CA), usually a company that charges customers to issue certificates for them. By contrast, in a web of trust scheme, individuals sign each other's keys directly, in a format that performs a similar function to a public key certificate.

The most common format for public key certificates is defined by X.509. Because X.509 is very general, the format is further constrained by profiles defined for certain use cases, such as Public Key Infrastructure (X.509) as defined in RFC 5280.

(7)

About This Document Technical Terms and Abbreviations

RDP Remote Desktop Protocol is a proprietary protocol developed by Microsoft, which provides a user with a graphical interface to co nnect to another computer over a network connection. The user employs RDP client software for this purpose, while the other computer must run RDP server software.

Standalone station Standalone station with local connection for the computer.

Trusted network The term trusted network refers to users or devices of an area which is considered particularly secure or protected. Typically, this area is a private section of a network. This private section of the network must be protected from attacks by hackers and other security-related threats.

TNW Acronym for trusted network.

Untrusted network The term untrusted network refers to users or devices of an area which is considered not secure or not protected. Typically, this area is a network outside the trusted network.

UTNW Acronym for untrusted network.

VLAN Virtual LAN. Any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2). LAN is the abbreviation for local area network and in this virtual context refers to a physical object recreated and altered by additional logic. VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acting like split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed. VLAN 1 Cisco switches have a factory configuration in which default VLANs are

preconfigured to support various media and protocol types. The default Ethernet VLAN is VLAN 1. It is a security best practice to configure all the ports on all switches to be associated with VLANs other than VLAN 1. This is usually done by configuring all unused ports to a black hole VLAN that is not used for anything on the network. All used ports are associated with VLANs distinct from VLAN 1 and distinct from the black hole VLAN. It is also a good practice to shut down unused switch ports to prevent unauthorized access.

VPN Virtual Private Network. It extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

Each end of the connection is an VPN endpoint. The connection between them is a VPN tunnel.

VPN-EP VPN endpoint.

(8)

About This Document Document Revision History

8 | 30 A6V11979536_en_--_b

Document Revision History

Document Identification

The document ID is structured as follows:

ID_Language(COUNTRY)_ModificationIndex_ProductVersionIndex Example: A6Vnnnnnnnn_en_a_02

Document Revision History Modification

Index

Edition Date Brief Description

a 2020-02-29 First edition

(9)

IT Security Notices

₁

1 IT Security Notices

Responsibility of the System Owner

The information technology (IT) used on site is the responsibility of the system owner.

Standards, Regulations, and Legislation

Follow the policies of your company as well as any national regulations or international standards, such as ISO/IEC 27002 and IEC62443.

The Federal Office for Information Security (BSI) provides information on basic

Cybersecurity for Germany in both German and English.

Product Security Guidelines

The security guidelines in this document provide the system owner with additional specifications – alongside basic IT protection – for operating a corresponding system. These additional specifications are valid at the time of publication.

Cybersecurity Disclaimer

Siemens provides a portfolio of products, solutions, systems, and services that includes security functions that support the secure operation of plants, systems, machines, and networks. In the field of Building Technologies, this includes building automation and control, fire safety, security management as well as physical security systems.

In order to protect plants, systems, machines, and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art security concept. Siemens’ portfolio only forms one element of such a concept. You are responsible for preventing unauthorized access to your plants, systems, machines, and networks, which should only be connected to an enterprise network or the Internet if and to the extent such a connection is necessary and only when appropriate security measures (for example, firewalls and/or network

segmentation) are in place. Additionally, Siemens’ guidance on appropriate security measures should be considered.

For additional information, contact your Siemens sales representative or visit

https://www.siemens.com/global/en/home/company/topic-areas/future-of-manufacturing/industrial-security.html.

Siemens’ portfolio undergoes continuous development to make it more secure. Siemens strongly recommends that updates are applied as soon as they are available and that the latest versions are used. Use of versions that are no longer supported, and failure to apply the latest updates may increase your exposure to cyber threats. Siemens strongly recommends complying with security advisories on the latest security threats, patches and other related measures, published, among others, under

(10)

Cybersecurity Guidelines Reference

2

10 | 30 A6V11979536_en_--_b

2 Cybersecurity Guidelines Reference

For the following topics, refer to the relevant sections in the DMS8000 Cybersecurity Guidelines document (see Applicable Documents [➙ 4]). ● Safety

● Cybersecurity Basics

● Cybersecurity Guidelines – How to Secure the System ● Hardening Guidelines (for Deployment Options) ● Checklist

(11)

System Security Guidelines Current Software and Firmware Version Status

3 3 System Security Guidelines

The NK823x Ethernet ports are used to connect local and distributed safety or security devices to DMS8000 management stations.

NK823x units can also support onboard I/O lines and local DF8000 I/O modules.

Fig. 1: NK823x Ethernet Port

The NK823x units can communicate with DMS8000 management stations through the following protocols:

● CMSDL/IP

● BACnet/IP or CEI 79-5/IP on Ethernet ● CMSDL/serial on RS232 line

In addition, the NK823x units can communicate with Modbus head-end/automation systems through Modbus TCP on Ethernet or Modbus RTU on serial line (RS485 or RS232), providing Modbus gateway functionality for Sinteso, Cerberus PRO, or STT20 fire safety systems.

NOTICE

CMSDL/IP, BACnet/IP, and Modbus TCP are unprotected protocols This requires that the connection between DMS8000 (and third-party Modbus hosts) and the NK823x Ethernet port must be protected from attacks and unauthorized access.

Fig. 2: Unprotected Connection Between DMS8000 and NK823x LAN ( Ethernet TCP / IP )

Server / Client Client

AlgoRex CS11 STT11/20 DF8000 Sintony SI410 NK823x FS20

(12)

System Security Guidelines

Current Software and Firmware Version Status

3

12 | 30 A6V11979536_en_--_b

3.1 Current Software and Firmware Version Status

Contact your local Siemens service organization to verify if the latest software and firmware versions are installed in your NK823x units.

Latest available versions at creation of this document: DMS8000 MP4.81-03

NK823x firmware for DMS8000: NK823x_4.81_Build_67 (17/05/19 4.81B67) NK823x kernel for:

● NKM8001-A1 hardware version: “Linux 2.6.32.41 #216 Thu Dec 12 08:11:34 CET 2013 ppc - 4.81_20200203"

● NKM8001-A2 hardware version: "Linux 2.6.32.41 #211 Tue Dec 10 18:41:36 CET 2013 ppc - 4.81_20200203"

3.2 Protected System Configuration

The NK823x system is a critical business application aimed at protecting people. Therefore, this system must be protected against attacks and unauthorized access. NK823x system must be in a separate network zone, here referred to as Protected Zone or protection zone.

The components in the Protected Zone must not be connected to unsecured networks on the intranet or the Internet. Allowed connections are those described in the intended operational environment [➙ 18].

Communication between the Protected Zone and other zones must be through a firewall and must be limited to the minimum necessary.

(13)

System Security Guidelines Protected System Configuration

3 3.2.1 Zone Boundary Protection

NK823x system is a safety-related system that must be protected from attacks and unauthorized access from untrusted networks, for example, the Internet.

The plant operator is responsible for network planning and design, including the zone boundary protection.

NK823x system is a physically separated network that forms a Protected Zone. The zone boundary protection has the function Inbound Protection/Outbound Protection for the Protected Zone. A separate VLAN does not meet the requirements for zone boundaries protection (ZBP).

For any connection to external networks or other systems, the corresponding protection must be provided at the border of the Protected Zone.

Local connections to the system do not require additional protective measures if the system accessing the Protected Zone is stand-alone, and thus has no interfaces to other systems.

For systems remotely accessing the Protected Zone (see Tunneled Network Deployment [➙ 23]), protective measures are required.

Fig. 3: Protected Zone

AlgoRex CS11 STT11/20 DF8000 Sintony SI410 Protected Zone ZBP + VPN-EP FS20

(14)

System Security Guidelines Protected System Configuration

3

14 | 30 A6V11979536_en_--_b

3.2.2 Access Through Untrusted Networks

Communication over untrusted networks between remote clients and the Protected Zone must be protected with a highly secure communication channel.

● The Protected Zone must always be protected by a firewall. ● Use VPN technology for the communication channel.

VPN technology does not need to be integrated with every component. It is enough that one VPN endpoint configured firewall is used to set the Protected Zone in front of a non-protected trusted network.

If an authorized user or device uses a non-trusted network to communicate with Protected Zone devices, a VPN connection must be created with the firewall at the Protected Zone boundary.

If the use of VPN is not possible, the plant operator must create a connection equally secured.

Fig. 4: Access Through Untrusted Networks

Remote Client with Remote Maintenance Tool

SC Highly secure communication channel MMS Management station

FW Firewall

UTNW Untrusted network ZBP Zone Boundary Protection VPN EP VPN endpoint.

Protected Zone Protected Zone

Protected Zone ZBP + VPN-EP Remote MMS FW FW ZBP + VPN-EP UTNW SC

(15)

System Security Guidelines Installation/Commissioning

3 3.3 Installation/Commissioning

3.3.1 Security Measures

Physical Security

● The NK823x must be installed inside the housing of a control unit or inside a dedicated cabinet (NE8001).

● The DMS8000 server machine must be locked in a restricted access control room.

● The NK823x Ethernet port and housing must be installed in the same protected room as DMS8000 or in a dedicated protected room.

● DMS8000 and the NK823x Ethernet port must be connected through a dedicated Ethernet cable when DMS8000 and NK823x are installed in the same room.

● The connection between NK823x and the field control units must be placed in the same protected room.

● A network connection is allowed only through a tunneling VPN.

Network Protection

● The NK823x must be installed on a protected network, that is either a LAN without an external access, or behind a Firewall in case of WAN network. ● The firewall shall be adequately configured.

● DMS8000 and its subsystems must be physically isolated (through a dedicated network) from the customer’s network and the Internet. This also includes RDP connections.

● The NK823x Ethernet port must be installed in a protected cabinet and connected to DMS8000 through a dedicated network or a VPN.

● VPN must be used to protect the client/server communication through tunnel communication.

● Disable FTP and use Secure download instead.

Measures to be Observed

● The communication between the DMS8000 server and the NK823x zone must be encrypted (see Tunneled Network Deployment [➙ 23]).

● The NK823x-specific requirements for communication must be respected (see Definition of Intended Operational Environment [➙ 18]).

● The communication channel must not be connected to external devices (see Definition of Intended Operational Environment [➙ 18]).

● The communication channel must allow NK823x-related communication only (see Definition of Intended Operational Environment [➙ 18]).

VLAN Configuration Requirements

The owner of the network or the plant operators are responsible for creating a secure VLAN configuration. The following requirements must be met:

● Only static VLAN must be used.

● Any connection to other VLANs, such as through monitoring, is not allowed. ● Standard segments, such as VLAN1, must not be used.

● Unused ports must be disabled and an unused VLAN be assigned. ● The autotrunking function of the switch must be deactivated.

(16)

System Security Guidelines Installation/Commissioning

3

16 | 30 A6V11979536_en_--_b

3.3.2 Port Settings

NK823x

A Requirements TCP/IP 10BaseT (100BaseT or 100BaseT (NK823x only)), 250 Kbit/sec bandwidth required

B Ports ● TCP port 3001

● TCP ports 3001…3004 in multiple host configurations ● TCP ports 20 and 21 (FTP for the configuration download

to NK823x)

● TCP port 22 (SSH Secure Shell)

● TCP port 20500 (if secure configuration and firmware download is enabled)

● TCP port 4000 for service messages

● UDP port 47808 (hex BAC0) is default for BACnet connectivity, but it is configurable.

For Modbus GW functionality:

● TCP port 502 (default for Modbus connectivity, configurable)

For IEC GW functionality:

● TCP Port 2404 (default for IEC 60870-5-104 connectivity, configurable)

C Bandwidth measures Normal operations:

● 0.1 Kbit/sec per NK823x + 0.1 Kbit/sec per control unit. Peaks (firmware and configuration downloads):

● 64 Kbit/sec (file transfer, around 5 sec) per NK823x D Web server NK823x web server is disabled starting from DMS8000

MP4.81-02.

Other LAN/WAN Connections for Specific Control Units

A Requirements Depends on communication characteristics of the control unit. For example, a serial link at 9600 bps with LAN adapter will require 1 Kbps.

B TCP ports Depends on specific communication characteristics. Typically, this is configurable in software.

C Bandwidth measures Depends on specific communication characteristics. ● In case of serial links with LAN adapter, it is

recommended to consider the entire serial baud rate as maximum impact.

(17)

System Security Guidelines Operation/Maintenance

3 3.4 Operation/Maintenance

3.4.1 Maintenance of IT Components

The preservation of IT security is an ongoing process for which the corresponding tasks must be repeated continuously. Therefore, every security measure must be examined whether their one-time implementation is sufficient, or a periodic maintenance is required, such as regularly updating the antivirus software. ● Log all the maintenance actions performed.

● Install security updates regularly.

● At regular intervals, carry out a risk analysis on the security features of the software in use.

● Observe the guidance in section IT Security in the document DMS8000 Cybersecurity Guidelines (see Applicable Documents [➙ 4]).

3.4.2 Phase out/End of Life

Every IT component involved in the access to the Protection Zone must be

replaced when it is no longer supplied by the manufacturer with security updates. If this EOL-IT component cannot be replaced, the Protection Zone must be

(18)

Intended Operation Environment

Definition of Intended Operational Environment

4

18 | 30 A6V11979536_en_--_b

4 Intended Operation Environment

(Including Deployment Options)

4.1 Definition of Intended Operational Environment

The NK823x Ethernet port system is an automation device that connects control units for fire and intrusion with the DMS8000 management station.

Fig. 5: NK823x Interfaces

The NK8235 employs an industry standard MPC885 PowerPC CPU and is composed of:

● Base board with power supply, CPU module, and basic configuration of interfaces

● Optional add-on board with 2 RS232 ports (GND, Rx, Tx only) The base board is equipped with:

● Power supply

● 2 serial interfaces (2 RS232/RS485)

● Dual Ethernet 10/100Base-T interface provides:

– Optional redundancy for BACnet, CMSDL/IP or CEI 79-5 protocol – Possibility to distribute BACnet/IP and/or CMSDL/IP protocols over two

Ethernet lines

– Routing and firewall functions across the Ethernet lines with the following configurable options:

- Stand-alone firewall providing protection from external sabotage with routing between ETH1 and ETH2 disabled

- Edge firewall providing protection of internal network (for example, MM8000 connected to FS20) with specific port access to external network (for example, Modbus client through NK8235) with routing between ETH1 and ETH2 enabled

● MPC885 Power PC CPU module with: – 64MB RAM

– 32MB flash EPROM disk

Power supply supervision

DF8090

NK8235 Power Supply, MPC885 CPU, Flash, RAM, RTC

Ethernet 1 Upstream device MM8000 + NS8210 or MK8000 + NS8210 Upstream device MM8000 + NS8210 or MK8000 + NS8210 Upstream device MM8000 + NS8210 or MK8000 + NS8210 Upstream device MM8000 / MK8000 + NS8011 / NS8210 I²C Serial Subsystems I/O Modules DF8020 DF8040 DF8045 DF8046

Local upstream device

MM8000 + NS8012 MK8000 + NS8012 MT8001 , Optional Modem 5 phone numbers Ethernet 2 USB 2 x R S2 32 /R S4 85 3 x In 1 x Out     2 x RS232 1 4 Logging storage optional SD  NK8235 datasheet (A6V10238669)

(19)

Intended Operation Environment Definition of Intended Operational Environment

4

– Real-time clock (RTC)

– Linux operating system – BACnet protocol stack ● I2_{C bus}

● 3 digital inputs; 1 relay output ● Diagnostic LEDs

● USB port supporting Echelon U10 USB Network Interface - TP/FT-10 Channel for CS6 Guarto integration or mass storage devices for logging storage of selectable data flow (upstream and/or downstream)

USB port file system: FAT32; 2-64 GB

● SD card slot supporting Secure Digital (SD) memory cards for logging of selectable data flow (upstream and/or downstream)

SD card file system: FAT 32 2-32 GB - 16 GB SD card is included

The communication between DMS8000 management stations and NK823x units occurs through the protocols CMSDL/IP, BACnet/IP or CEI 79-5/IP on Ethernet or CMSDL/serial on RS232 line. In addition, the NK823x units can communicate with Modbus head-end/automation systems through Modbus TCP on Ethernet or Modbus RTU on serial line (RS485 or RS232) providing Modbus gateway functionality for Sinteso, Cerberus PRO, or STT20 fire safety systems. CMSDL/IP, BACnet/IP and Modbus TCP are unprotected protocols.

This requires that the connection between DMS8000 (and third-party Modbus hosts) and the NK823x Ethernet port must be protected from attacks and unauthorized access.

DMS8000 and NK823x must be operated in a protected environment. The following secure deployments are possible:

● Isolated network [➙ 20] ● Tunneled network [➙ 23]

The components in DMS8000 must not be connected to other networks (for

example, intranet or the Internet), except for any temporary connections created for maintenance purposes.

The following sections describe the permitted use cases in detail. Any other possible applications other than the following use cases are not permitted.

BACnet Security

BACnet is a public protocol and no encryption is currently supported by management stations and control units.

Therefore, network spying and even hacking cannot be excluded, especially when using customer networks in large, campus-wide solutions (the same risk is valid for the other supported protocols CMSDL/IP and Modbus TCP).

This threat requires a serious evaluation when planning a BACnet network for danger management, and appropriate security measures should be considered carefully. Among various technical solutions, we recommend the implementation of a VPN (Virtual Private Network), a private data network that makes use of a public telecommunication infrastructure, maintaining privacy thanks to a tunneling protocol and encryption techniques.

VPNs can therefore create a secure connection for BACnet communications between management stations and control units.

The DMS8000 management stations based on a Windows computer can directly handle VPN links with an appropriate configuration setting (refer to Microsoft documentation or the numerous support sites). Field control units typically require a network security device (such as Cisco ASA, Siemens Simatic Scalance S) that can provide the necessary VPN functions.

(20)

Intended Operation Environment Isolated Network Deployment

4

20 | 30 A6V11979536_en_--_b

NOTICE

Insecure Networks

Connections between computers at backbone level and insecure networks (like the Internet or any other networks) can compromise the security of the system.

Zone Boundary Protection

● The NK823x isolated network is a security zone physically protected (for example, locked in a rack in the server room). It uses separated networks that only permit restricted access to its components.

● An exception can be made for a temporary connection open for maintenance remote access to be closed immediately after the operation has been

completed.

● A separate VLAN alone does not meet the requirements for Zone Boundary Protection. A firewall is also required.

● In case one of the allowed components is remote, a physically protected and secured communication is also required through tunneling that enables the users to create a virtual network between two remote points on an existing public IP network and communicate through a VPN.

● The Zone Boundary Protection must be implemented through VPN and firewall to limit the inbound and outbound communication to temporary exception for maintenance remote access.

4.2 Isolated Network Deployment

Isolated Local Network

An isolated local network consists of servers that are connected in an environment which has no connection to any other network. In this model, there is zero network connectivity to a larger internal network or the Internet. Since there is no potential for remote exploits from a large number of unknown sources, this environment provides well defined physical, network, and security characteristics.

The access to this configuration is limited to personnel with access to the trusted admin hosts on the closed local network. Threats include an accidental connection being made to other networks, a trusted admin installing an unsigned package, or an application that might inject a malware agent.

Guidelines for the isolated local network model:

● Set all default passwords for uniqueness and complexity. ● Limit physical access to essential personnel.

● Avoid installing untrusted third-party software.

Stand-Alone Desktop Configuration

The stand-alone configuration is used with small sites that use few control units and require only a single operator station. The station can be either single or multi-discipline.

In the stand-alone configuration, there is only one station, eventually with a client station, which contains all the software layers that make up the system (Client, Server, and Communication).

The following figure presents a Local access to a NK823x system with a stand-alone management station (MMS):

(21)

4

Fig. 6: Stand-alone Local Access MMS

Fig. 7: Stand-alone Local Access NK8237 Modbus Gateway

Protected Zone Physically separated, private network. MMS Management station

Component requirements MMS

● Is part of the Protected Zone.

● Has no connection to other networks or systems. LAN ( Ethernet TCP / IP )

Server / Client Client Protected Zone AlgoRex CS11 STT11/20 DF8000 Sintony SI410 FS20 3rd party Modbus Client Protected Zone STT20 FS20 BACnet/IP Modbus TCP/IP NK8237 Modbus Gateway

(22)

4

22 | 30 A6V11979536_en_--_b

NK823x device

● Is part of the Protected Zone.

● Has no connection to other networks or systems.

● A direct connection is established between the Protected Zone and the component in the protection zone.

Direct means that both devices and their cable connection are visible at the same time and thus a potential manipulation might be recognizable.

Physical separation of the management level network from the field level networks can further increase the security of the system.

Fig. 8: Stand-alone Local Access MMS with physically separated networks Management level LAN ( Ethernet )

Client Client Server AlgoRex CS11 STT11/20 DF8000 Sintony SI410 FS20 NIC 2 NIC 1 Protected Zone

Field level LAN ( Ethernet )

NIC 3

(23)

Intended Operation Environment Tunneled Network Deployment

4

Fig. 9: Stand-alone Local Access NK8237 Modbus Gateway with physically separated networks

4.3 Tunneled Network Deployment

VPN (https://en.wikipedia.org/wiki/Virtual_private_network) is a solution for making a virtual network. A technique called tunneling is used in the VPN and enables users to create a virtual network between two remote points on an existing public IP network and communicate freely.

With tunneling technology, packets transmitted on a physical communication medium (such as, conventional network cable or optical fiber) are encapsulated as data of another protocol (such as, TCP/IP packets) without directly transmitting on a physical network. Encryption and electronic signature can be added

simultaneously when encapsulating. Encapsulated data is transmitted through a session called a tunnel between the start and end point of the VPN communication. The other party who receives the encapsulated data removes the original packets from the capsules. If data is encrypted when encapsulated, it must be decrypted. If an electronic signature has been added, the user can check whether the contents of the packet have been tampered with during transmission by testing the integrity of the electronic signature.

When VPN communication must be carried out, because the data transmitted between the computer sending the data and the computer receiving the data travels through the tunnel is sent encapsulated, unprotected data is never exposed on the network.

Fig. 10: Structure and operating principle of common VPN

Zone Border Protection and NK823x devices are Single Points of Failure for every remote connection. Therefore, for each installation, it must be determined whether

3rd party Modbus Client Protected Zone STT20 FS20 ETH2 BACnet/IP Modbus TCP/IP ETH1 NK8237 Modbus Gateway Client PC VPN Tunnel Public IP Network (for example, the Internet) Office LAN Packets

(24)

4

24 | 30 A6V11979536_en_--_b

component or the remote connections must be placed on separate zone

boundaries protection components and distributed to separate NK823x devices. The second case is safer because breaching one of the protected zones can compromise only one subnetwork while the others remain safe. Conversely, in the first case, by breaching the only protected zone, the whole network is

compromised.

Remote Access

LAN/WAN connectivity is possible through NK823x Ethernet ports.

Communication to components on the Internet must be secured by the customer or trust center provided certificates. Also, it must be protected by professional

hardware firewalls/DMZ.

The following figure presents a Remote access setup to an NK823x installation with a remote management station and client stations:

Fig. 11: Remote Access

LAN ( Ethernet ) Client Client Server Protected Zone WAN Router Router AlgoRex CS11 STT11/20 DF8000 Sintony SI410 Protected Zone FS20

(25)

4

Fig. 12: Remote Access NK8237 Modbus GW

UTNW Untrusted network VPN-EP VPN endpoint

ZBP Zone Boundary Protection

Protected Zone Physically separated, private network.

LAN ( Ethernet ) Protected Zone WAN Router Router Protected Zone 3rd party Modbus Client NK8237 Modbus Gateway STT20 FS20 BACnet/IP Modbus TCP/IP

(26)

4

26 | 30 A6V11979536_en_--_b

● Is not part of the NK823x Protected Zone.

● Is at the same time connected to an untrusted network (for example, a WAN). ● A direct connection to a dedicated cable is done with the router of the untrusted

network.

● Initiates a VPN connection to the NK823x zone border protection component. Zone Boundary Protection

● Use firewall to protect the Protected Zone.

● A direct connection to a dedicated cable is done from the router of the untrusted network to boundary of the NK823x Protected Zone. NK823x Device

● Physically separated network or stand-alone station. ● Forms a Protected Zone.

● Protected Zone is accessed only through an external firewall.

● The computer with MMS must be configured as access point to the NK823x device

● A single route to the MMS must be configured using the computer with MMS in all the Ethernet subscribers of NK823x device for one extended network. Direct means that both devices and their cable connection are visible at the same time and thus a potential manipulation might be recognizable.

NOTICE

(27)

4 Access MMS Through the Customer’s Network

In case the MMS is installed in the customer network and connected remotely to NK823x, a secure connection through VPN is required.

The following figure below presents a Remote access to a NK823x system with MMS through the customer’s network.

Fig. 13: MMS Remote Access Through the Customer's Network

Router + FW + VPN-EP MMS CNW AlgoRex CS11 STT11/20 DF8000 Sintony SI410 Protected Zone FS20

(28)

4

28 | 30 A6V11979536_en_--_b

Fig. 14: NK8237 Remote Access Through the Customer's Network

MMS Management station VPN-EP VPN endpoint Router + FW router with firewall

CNW Customer’s network

Protected Zone Physically separated, private network.

● Is not part of the NK823x Protected Zone. ● Establishes a VPN connection with the router

Router with firewall

● The Protected Zone must be protected through a firewall.

● A direct connection to a dedicated cable must be placed at the boundary of the NK823x Protected Zone.

● The NK823x Protected Zone is a VPN "endpoint".

● The connection between CNW and NK823x Protected Zone is a "VPN tunnel.

NK823x Device

● Physically separated network or stand-alone station. ● Forms a Protected Zone.

● Protected Zone is accessed only through an external firewall.

● The computer with MMS must be configured as access point to the NK823x device

● A single route to the MMS must be configured using the computer with MMS in all the Ethernet subscribers of NK823x device for one extended network.

Router + FW + VPN-EP CNW Protected Zone NK8237 Modbus Gateway STT20 FS20 BACnet/IP Modbus TCP/IP 3rd party Modbus Client

(29)

4

Direct means that both devices and their cable connection are visible at the same time and thus a potential manipulation might be recognizable.

NOTICE

(30)

A6V11979536_en_--_b Issued by Siemens Switzerland Ltd Smart Infrastructure Global Headquarters Theilerstrasse 1a CH-6300 Zug +41 58 724 2424 www.siemens.com/buildingtechnologies © Siemens Switzerland Ltd, 2021

DMS8000 NK823x Cybersecurity Guidelines

DMS8000

Table of Contents

About This Document

Purpose

Scope

Retention and Availability

NOTICE

Target Audience

Source Language and Reference Document

Applicable Documents

Download Center

Technical Terms and Abbreviations

Document Revision History

Document Identification

1

1 IT Security Notices

Responsibility of the System Owner

Standards, Regulations, and Legislation

Product Security Guidelines

Cybersecurity Disclaimer

2

2 Cybersecurity Guidelines Reference

3

3 System Security Guidelines

NOTICE

3

3.1 Current Software and Firmware Version Status

3.2 Protected System Configuration

3

3.2.1 Zone Boundary Protection

3

3.2.2 Access Through Untrusted Networks

3

3.3 Installation/Commissioning

3.3.1 Security Measures

Physical Security

Network Protection

Measures to be Observed

VLAN Configuration Requirements

3

3.3.2 Port Settings

NK823x

Other LAN/WAN Connections for Specific Control Units

3

3.4 Operation/Maintenance

3.4.1 Maintenance of IT Components

3.4.2 Phase out/End of Life

4

4 Intended Operation Environment

(Including Deployment Options)

4.1 Definition of Intended Operational Environment

4

BACnet Security

4

NOTICE

Zone Boundary Protection

4.2 Isolated Network Deployment

Isolated Local Network

Stand-Alone Desktop Configuration

4

4

4

4.3 Tunneled Network Deployment

4

Remote Access

4

4

NOTICE

4

Access MMS Through the Customer’s Network

4

4

NOTICE

₁